Business Community > Gateways > ACLs for network segmentation sometimes inactive
< Gateways

ACLs for network segmentation sometimes inactive

ACLs for network segmentation sometimes inactive

ACLs for network segmentation sometimes inactive
ACLs for network segmentation sometimes inactive
2025-05-28 11:35:53
Tags: #VLAN & Multi-Networks #ACL #Controller
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 2.2.6

Hello,

 

I have a question about network segmentation and wanted to find out if other users have also noticed this behavior.


I use the ER605 V2.2 in controller mode, so the configuration is carried out by an OC200.


I have created several VLANs (interfaces) and would like to separate them.

I create a total of 4 LAN > LAN ACLs, one for each VLAN. It is a DENY rule from one source VLAN to all other destination VLANs.


I run a test ping from a device on one VLAN to a device on another VLAN.
The ping is basically possible and remains possible even after the deny rules have been applied until I reboot the gateway or terminate the connection myself for a longer period of time. 
After the reboot, the segmentation works as desired. If I then adjust the rules and change any ACL, the update is transmitted to the gateway and at that moment the ping goes through and the connection remains open again. Could it be that the rules are temporarily inactive when changes are applied?

 

Best Regards!

  0      
 
  0      
 
#1
Options
3 Reply
Re:ACLs for network segmentation sometimes inactive
2025-05-29 01:30:30

  @sv3063h 

Rule applied, the service will be restarted, which is the common procedure for networking. In that time, it might have some pings pass through. But actually, in all the tests I have done, I haven't witnessed this behavior.

Mind if you share a video of this?

  1  
  1  
#2
Options
Re:ACLs for network segmentation sometimes inactive
2025-05-29 09:07:51 - last edited 2025-05-29 09:12:14

  @Clive_A 

Hi, thanks for your answer.

I made a video where one can see that a ping -t keeps going through after applying the deny-rule.

But I tested it on my OPNsense and there was the same behavior until I reboot the client.

 

My message from yesterday was probably mixed from different impressions since I come from systems where default-deny rules are in place and I was not happy that it is not possible to address ip (groups) in LAN > LAN ACLs when GW is in Controller mode...

So applying the deny-all rules and testing with (management) VLAN config and my planning to avoid default VLAN (default 1) which was not possible for controlling the ER605 leaded to some situations where the deny-all rules where not working and in my understanding the deny should be the default behavior and always working for security reasons.

 

Best Regards!

  1  
  1  
#3
Options
Re:ACLs for network segmentation sometimes inactive
2025-05-29 13:09:40

  @sv3063h 

 

If you are running a continious ping when changing the rules, the gateway will still possibly allow the traffic to pass, even when the new rule takes effect as it is seen as an existing connection.  Only when the traffic stops, and some arbitrary timeout occurs, will the traffic then be blocked.  This is because gateway rules are stateful.

 

You can see a similar effect with switch rules, as the rule change takes effect, but because switch rules are not stateful, traffic will be immediately blocked once the new rule is processed.

Main: ER8411 x1, SG3428X x1, SG3452 x1, SG2428LP x1, SG3210 x1, SG2218P x1, SG2008P x3, ES208G x1, EAP650 x6 Remote: ER7206 v2 x1, ER605 v2 x3, SG2008P x2, EAP650 x2, ES205G x1 Controller: OC300
  2  
  2  
#4
Options

Information

Helpful: 0

Views: 239

Replies: 3

Tags

VLAN & Multi-Networks ACL Controller
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.